The US Federal Bureau of Investigation (FBI) has published an advisory on car hacking, marking one of the US government's first public warnings on the cyber-threats of tomorrow.
The FBI published the warning last Thursday along with the Department of Transportation and the National Highway Traffic and Safety Administration.
In it, the government warned drivers of the dangers of remotely hackable cars. Pointing to the now-famous hack of the Jeep Cherokee in 2014, the FBI expressed to the public that such things were not the stuff of science fiction, but real and present dangers.
Off of that the advisory it made a number of recommendations about ensuring the security of a potentially hackable vehicle, including ensuring software is up to date, being careful when modifying vehicle software, understanding what third parties have electronic and physical access to your vehicle.
Tony Dyhouse, a veteran of cyber-security, spoke to SCMagazineUK.com, saying, “Anything that brings this risk to the attention of the public is a good thing – it's awareness. However, I'm always a little concerned when the onus for keeping the vehicle secure is placed firmly on the owner.”
Dyhouse added, “We can't expect every car owner to become a digital security expert. I'd like to see manufacturers doing more to provide a secure asset in the first place. Many manufacturers repeatedly claim that they take security very seriously, but this has not been evidenced by real occurrences.”
Looking out for software updates may not be as easy as the advisory makes out. The FBI warned customers to "keep vehicle software up to date, but be cautious of hackers sending fake notifications of vehicle updates containing malicious software".
How, Dyhouse asks, is the public supposed to know which notification is fake and which is legitimate? “If the owner was provided with notification of an update present, how could they be expected to possess sufficient evidence that the update is legitimate? The skills of social engineering remain extremely effective in society."
While such developments might be encouraging to some, the US government are arguably late to the game. Ever since Charlie Miller and Chris Valasek remotely hacked a 2014 Jeep Cherokee, car hacking has not been far from tech headlines.
Aside from the plethora of demonstrations showing similar techniques on new models and the legion hacker forums discussing how one might go about hacking a vehicle, car hacking has started to make its appearance in the wild.Fiat Chrysler had to recall 1.4 million vehicles for fear of software weaknesses making cars vulnerable to remote exploitation. Only this year, London's Metropolitan Police announced that car hacking was responsible for 6000 thefts in the capital in 2014, a quarter of all vehicle thefts.
Meanwhile, on this side of the Atlantic, Chancellor George Osborne has announced in his most recent budget the first trial of driverless lorries on UK roads. The introduction of these automated HGV convoys will come as soon as this year on the M6 in Cumbria.
Christine Cavigioli, VP automotive at Gemalto, told SC, “With the Chancellor announcing that autonomous vehicles will hit British motorways next year, the race to develop the first consumer connected car is well underway and security must be at the heart of this process.”
She added, “Security is one of the biggest challenges in all connected environments and this is particularly evident in connected cars where personal safety can be compromised should something go wrong. Therefore, the automotive industry needs to incorporate a security by design approach – protection is integrated in the initial design stages right through to the physical prototyping."
John Smith, principal solution architect at Veracode, also spoke to SC on the topic, saying while the government's decision to invest in new technologies is commendable, “Cyber-security factors must be brought to the forefront of policy agendas from the outset. Government bodies and manufacturers need to prioritise security across systems that impact safety – such as software and applications downloaded to the lorries.”
Smith added, “Vulnerable software is one of the most significant challenges faced by the automotive industry. Findings from a recent IDC report indicated that there could be a lag of up to three years before car security systems are protected from hackers. With over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car, we must ensure they are developed with security at the heart of the strategy, rather than as an afterthought.”